Safety: ensure "bad" thing never happen
reading undefined memory (buffer overflow attacks)
vision by zero
integer overflow
double free
these usually result in undefined behavior, leave room for attackers to "define"
Liveness: ensure "good" thing always happen
no dead lock
deleted file should actually disappear
Liveness is more difficult to enforce.
Information Flow: transformation of info between different systems
Solution: static check on "contracts"/asserts
Attack methods:
out of bound access: overwritten control data such as return addresses or function pointers
use after free: forcing the freed memory to be reallocated with attacker-controlled data
Uninitialized memory use: attacker-controlled residual data
race condition: exploit timing windows to trigger invalid memory accesses in a controlled way
Value: z \in \mathbb{Z}
Expression: (syntax, notation, e.g. value): e ::= c|x|e_1+e_2|e_1 - e_2|
c is constant
x is variable
| means or
this formula above defines all possible expression
Expression is only meaningful given a state.
State w, u, v:
Value of expression e in state w is c: w[[e]] = c.
The operation w[[\cdot]] means evaluation of \cdot under state w.
So we have w[[c]] = c: a constant given a state is still the same constant
w[[x]] = w(x): a variable x given a state w is the whatever w maps x to.
w[[e_1 + e_2]] = w[[e_1]] + w[[e_2]]: + evaluation is the same no matter if we break it apart.
w[[e_1 - e_2]] = w[[e_1]] - w[[e_2]]: + evaluation is the same no matter if we break it apart.
w[[e_1 * e_2]] = w[[e_1]] \times w[[e_2]]: + evaluation is the same no matter if we break it apart. (might not be true for other things like division, since division by zero might happen)
\cdot[[\cdot]]: evaluation. We evaluate the value of expression (second argument) in the state (first argument). The resulting type is a value.
Programs: \alpha, \beta ::= x:=e|\alpha;\beta|\text{if } Q \alpha \beta|\text{while } Q \alpha
assignment x:=e
sequential composition \alpha;\beta
Program is a relation (not necessarily a function, since function cannot be "nonterminating/loop" or "nondeterministic/random")
\cdot[[\cdot]]\cdot: prestate (first argument) and poststate (final argument) related by the program (middle arg). The resulting type is a truth statement.
Note that since the program might contain expression, the second argument is evaluated and executed in the state of the first argument. In a sense [[]] means evaluate and [] is constant assignment.
\cdot[\cdot \mapsto \cdot]: we take state (in the first argument) and make a expression (second argument) map to a constant value third argument. The resulting type is an updated state.
Formula: P, Q ::= \top | \bot | \neg P | P \land Q | P \lor Q| P \to Q | e_1 = e_2 | e_1 \neq e_2
T: True
\bot: False
\cdot \models \cdot A formula (second argument) is true in state (first argument). This resulting type is a truth statement.
Table of Content